ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Video Making Free Course

v1.0.0

Turn a 2-minute raw screen recording of a tutorial into 1080p structured course videos just by typing what you need. Whether it's turning raw recordings into...

0· 35·0 current·0 all-time
by@mory128
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the actions in SKILL.md: sending video uploads to a cloud render pipeline, creating sessions, polling renders, and returning download URLs. Requesting a NEMO_TOKEN and a config path for nemo video are coherent with a cloud video service.
!
Instruction Scope
The runtime instructions explicitly perform network calls to an external API (mega-api-prod.nemovideo.ai), upload user files, create anonymous tokens, and persist session state. Those operations are expected for cloud video processing but carry privacy implications: user video content will be transmitted to a third-party backend. The instructions also say to 'not display raw API responses or token values' (i.e., hide tokens), and they don't specify secure storage semantics for tokens/session IDs beyond a config path—this increases the chance data or tokens could be silently stored or reused without explicit user consent.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk-write risk; there are no downloads or external install URLs to evaluate.
Credentials
Only one credential is required (NEMO_TOKEN) and it's the declared primaryEnv. That is proportionate for a cloud API. However the skill instructs that if NEMO_TOKEN is absent it should automatically obtain an anonymous token and then store/use it; this automatic creation and persistence of credentials is potentially surprising to users and worth explicit consent. Metadata also references a config path (~/.config/nemovideo/) where state may be written—reasonable for caching but something users should be alerted to.
Persistence & Privilege
always is false and the skill does not request system-wide privileges or to modify other skills. It will retain session state and tokens for subsequent API calls (normal for this use-case), but storage location/retention policy is unspecified.
What to consider before installing
This skill will upload your videos and related project data to an external service (mega-api-prod.nemovideo.ai) and uses a NEMO_TOKEN to authorize requests. The skill will auto-create an anonymous token if none is present and may store session/token data under ~/.config/nemovideo/. Before installing, consider: (1) The skill's source/homepage is missing—there's no easily verifiable publisher or privacy policy. (2) Any uploaded video may contain sensitive information; only use this with content you are comfortable uploading to a third party. (3) You can prefer to supply your own NEMO_TOKEN rather than allowing the skill to create one automatically. (4) Ask the publisher where tokens and files are stored, how long they are retained, and how to revoke/delete them. If you need stronger assurance about data handling or provenance, avoid installing until the publisher and privacy terms can be verified.

Like a lobster shell, security has layers — review code before you run it.

latestvk973t7gw414tfbhfmdgvvk55xd84r19j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎓 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments